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Control System 



This invention relates to a control system for a load such as a drive mechanism 
and in particular to a so-called "fail off" control system in which, when a fault 
is detected, the operation of the load is ceased or switched out. 

Control systems generally include fault detection systems which control the 
operation of the control system when a fault is detected. There are three main 
types of control system with fault detection: "fail on", in which the mechanism 
associated with the control system is maintained in an "on" state if a fault is 
detected (commonly used in situations (e.g. aircraft) in which to turn the 
system off may result in fatal consequences); "fail off' in which the mechanism 
associated with the control system is put into an "off" state if a fault is detected 
(commonly used in situations (e.g. vehicle drive mechanisms) in which to leave 
the system on may result in fatal consequences); and "do nothing", in which the 
mechanism associated with the control system is maintained in its current state 
if a fault is detected and a log of a fault generated for later inspection and 
solution. 

In accordance with the invention there is provided a control system for a load, 
the system comprising a first microprocessor having an output to provide a 
drive signal to drive the load, a second microprocessor to monitor the operation 
of the first microprocessor and the operation of the load, the system being 
arranged so that when the second microprocessor detects a fault in the 
operation of the first microprocessor and/or the operation of the load, the 
second microprocessor is arranged to switch out the load or halt the operation 
of the first microprocessor. 



10 



The system may further comprise a first driver controlled by the first 
microprocessor to drive tlie load and a second driver controlled by the second 
microprocessor to switch out the load. 

The second microprocessor may be arranged to monitor the current output from 
the load. 

The second microprocessor may be arranged to monitor the output from the 
first microprocessor and to detect if this output alters to become an input. 

The microprocessor may be arranged to calculate the current of the load and, if 
the load current does not meet pre-determined criteria, to switch out the load. 

In a further aspect of the invention there is provided a control method for a 
15 load, the method comprising driving a load by means of a drive signal provided 
by a first microprocessor, monitoring the operation of the first microprocessor 
and the operation of the load by means of a second microprocessor, when the 
second microprocessor detects a fault in the operation of Ihe first 
microprocessor and/or the operation of the load, the second microprocessor 
20 switches out the load and/or halts the operation of the first microprocessor. 

The invention will now be described, by way of example only, with reference 
to the accompanying drawing, in which: 

Figure 1 is a first embodiment of a drive control system according to the 
25 invention. 

- Figure 1 shows a first embodiment of a drive control system according to the 
invention. A load 10 is driven by two drivers, a high side driver 12 and a low 
side driver 14. The operation of the drivers 12, 14 is controlled by a first 




microprocessor 16. For safety reasons a second microprocessor 18 is provided 
to monitor the operation of the drive control system. The drivers 12, 14 may 
take any suitable form e.g. MOSFET switches or the like. The drivers 12, 14 
may drive the load 10 by various means such as a Pulse Wave Modulation 
5 (PWM) signal or the like. 

Two microprocessors are provided to ensure a fail-safe operation of the drive 
control system. In normal operation, the main microprocessor 16 controls the 
high side driver 12 (the low side driver 14 normally being switched on) and 
10 monitors the operation of the load by monitoring the low side of the load 10 at 
point A. 

Each microprocessor 16, 18 has programmed into it a set of rules by which the 
operation of the load is controlled. The set of rules of the second 
15 microprocessor 18 may be identical to the set of rules of the first 
microprocessor. Alternatively, the set of rules of the second microprocessor 18 
may be coarser than or a subset of the set of rules of the first microprocessor. 

In use, the second microprocessor monitors the operation of the first 
20 microprocessor 16 and the operation of the load 10 to determine if the system is 
operating according to the set of rules of the second microprocessor. If either 
is not operating according to the set of rules of the second microprocessor, the 
microprocessor switches out the load 10 by means of setting the low side driver 
12 to open. Thus the load no longer has any effect on other systems. 

25 

In a preferred implementation of the invention, the second microprocessor 
monitors each of the outputs of the first microprocessor individually to monitor 
for faults with the main microprocessor 16. In the embodiment shown in 
Figure 1, this may be achieved by means of resistors Rl, R2 and R3. 
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Each time a microprocessor is powered up, the microprocessor is reset which 
usually involves most, if not all, of the pins of the microprocessor being set to 
inputs. The programming of the microprocessor then resets the pins to their 
5 required state for proper operation. If the microprocessor incorrectly sets a pin 
to be an input rather than an output (or vice versa) clearly a fault with the 
microprocessor will exist. 

In the arrangement shown in Figure 1, resistor Rl is connected to the pin from 
10 the main microprocessor 16 which is connected to the high side driver 12. 
Resistor Rl prevents the high side driver 12 being driven when the pin is 
incorrectly set as an input pin, for instance when the microprocessor 16 is reset. 
This is achieved by the monitor microprocessor 18 which monitors the output 
of the pin via Rl and if the voltage changes from a voltage allowable on an 
15 output pin to one that is not allowable on an output pin, the monitor 
microprocessor 18 detects this and recognises this as a fault. 

In the arrangement of Figure 1 resistors R2 and R3 operate together to ensure 
that if the output pin of the main microprocessor that is connected to the high 

20 side driver 12 switches to become an input pin, then the both the high and low 
side drivers 12, 14 are switched to open and the effect of the load switched out. 
Resistor R2 is connected between the ground rail and the output pin of the main 
microprocessor that is connected to the high side driver 12. R3 is connected 
between the ground rail and the output pin of the monitor microprocessor that 

25 is connected to the low side driver 14. 

The control system also includes a current sensor 20. This in itself may be a 
potential fault source since if it fails then the microprocessors are unable to 
detect this failure. This may be overcome by providing two current sensors in 
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series. Alternatively, in a preferred embodiment of the invention, a back-up to 
the current sensor is provided by the monitor microprocessor which calculates 
the current from the power supply voltage and the resistance of the load 10 by 
means of the equation I = V/R. This may also be achieved by monitoring the 
voltage at the high side driver and the voltage at the low side driver, calculating 
the voltage drop across the load and, knowing the resistance of the load, 
calculating the load current. 

The results of the calculation may then be compared with the output of the 
current sensor 20 and if the difference between the two meets predetermined 
criteria (e.g. is less than or equal to a pre-determined threshold), then the 
monitor microprocessor detects a fault with the current sensor and either 
switches out the load as a result (for a fail off system) or logs the fault for 
subsequent consideration. In the latter case, the control system would then rely 
on the current calculation to monitor the current which may not be desirable, 
depending upon the type of load and/or the field of application of the load. 

The control system shown is applicable to many areas where the control of a 
drive is required. The invention has particular application to a gear control 
system, for instance as used in a vehicle, but this is not intended to be limiting. 
In the field of vehicular gear control systems, the load 10 may be a gear box 
selector, a clutch selector, a valve in a pneumatics system etc. 
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Claims 

1. A control system for a load, the system comprising a first 
microprocessor having an output to provide a drive signal to drive the load, a 

5 second microprocessor to monitor the operation of the first microprocessor and 
the operation of the load, the system being arranged so that when the second 
microprocessor detects a fault in the operation of the first microprocessor 
and/or the operation of the load, the second microprocessor is arranged to 
switch out the load or halt the operation of the first microprocessor. 

10 

2. A system according to claim 1 further comprising a first driver 
controlled by the first microprocessor to drive die load and a second driver 
controlled by the second microprocessor to switch out the load. 

15 3. A system according to claim 1 or 2 wherein the second microprocessor 
is arranged to monitor the current output from the load. 

4. A system according to claim 1, 2 or 3 wherein the second 
microprocessor is arranged to monitor the output from the first microprocessor 

20 and to detect if this output switches to become an input. 

5. A system according to any preceding claim wherein the microprocessor 
is arranged to calculate the current of the load and, if the load current does not 
meet pre-determined criteria, to switch out the load. 

25 

6. A system according to any preceding claim wherein the control system 
is a vehicular control system. 
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7. A system according to any preceding claim wherein the load is a gear 
box selector, a clutch selector or a valve. 

8. A control method for a load, the method comprising driving a load by ' 
means of a drive signal provided by a first microprocessor, monitoring the 
operation of the first microprocessor and the operation of the load by means of 
a second microprocessor, when the second microprocessor detects a fault in the 
operation of the first microprocessor and/or the operation of the load, the 
second microprocessor switches out the load and/or halts the operation of the 

10 first microprocessor. 

9. A method according to claim 8 further comprising driving the load by 
means of a first driver controlled by the first microprocessor and switching out 
the load by means of a second driver controlled by the second microprocessor. 

15 

10. A method according to claim 8 or 9 further comprising monitoring the 
current output from the load by means of the second microprocessor. 

11. A method according to claim 8, 9 or 10 further comprising the second 
20 microprocessor monitoring the output from the first microprocessor to detect if 

this output alters to become an input. 



12. A method according to any of claims 8 to 11 further comprising 
calculating the current of the load and, if the load current does not meet pre- 
determined criteria, switching out the load. 

13. A method according to any of claims 8 to 12 wherein the control method 
is applied to a vehicular control system. 




14. A method according to any of claims 8 to 13 wherein the load is a gear 
box selector, a clutch selector or a valve. 
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ABSTRACT 
CONTROL SYSTEM 

5 A control system for a load (10), the system comprising a first microprocessor 
(16) having an output to provide a drive signal to drive the load, a second 
microprocessor (18) to monitor the operation of the first microprocessor and 
the operation of the load (10), the system being arranged so that when the 
second microprocessor (18) detects a fault in the operation of the first 

10 microprocessor (16) and/or the operation of the load (10), the second 
microprocessor is arranged to switch out the load (10) or halt the operation of 
the first microprocessor (16). 

Fig.l 
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